diff --git a/agent/modals/quote/quote_add.php b/agent/modals/quote/quote_add.php index ad3f0d3a..3d47bbe7 100644 --- a/agent/modals/quote/quote_add.php +++ b/agent/modals/quote/quote_add.php @@ -14,6 +14,7 @@ ob_start();
+
diff --git a/agent/modals/quote/quote_copy.php b/agent/modals/quote/quote_copy.php index 2fe90eac..32c07458 100644 --- a/agent/modals/quote/quote_copy.php +++ b/agent/modals/quote/quote_copy.php @@ -23,6 +23,7 @@ ob_start();
+
diff --git a/agent/modals/quote/quote_edit.php b/agent/modals/quote/quote_edit.php index d6523d60..ed3aec99 100644 --- a/agent/modals/quote/quote_edit.php +++ b/agent/modals/quote/quote_edit.php @@ -29,6 +29,7 @@ ob_start();
+
diff --git a/agent/modals/quote/quote_export.php b/agent/modals/quote/quote_export.php index 5a598c15..daec4dc0 100644 --- a/agent/modals/quote/quote_export.php +++ b/agent/modals/quote/quote_export.php @@ -15,6 +15,7 @@ ob_start();
+
diff --git a/agent/modals/quote/quote_note.php b/agent/modals/quote/quote_note.php index 26bdd8cd..817a8017 100644 --- a/agent/modals/quote/quote_note.php +++ b/agent/modals/quote/quote_note.php @@ -10,6 +10,7 @@
+
diff --git a/agent/modals/quote/quote_to_invoice.php b/agent/modals/quote/quote_to_invoice.php index af3b03eb..8f70f8a0 100644 --- a/agent/modals/quote/quote_to_invoice.php +++ b/agent/modals/quote/quote_to_invoice.php @@ -24,6 +24,7 @@ ob_start();
+
diff --git a/agent/post/quote.php b/agent/post/quote.php index 6a650d60..0e8fd105 100644 --- a/agent/post/quote.php +++ b/agent/post/quote.php @@ -8,6 +8,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed"); if (isset($_POST['add_quote'])) { + validateCSRFToken($_POST['csrf_token']); + enforceUserPermission('module_sales', 2); require_once 'quote_model.php'; @@ -46,6 +48,8 @@ if (isset($_POST['add_quote'])) { if (isset($_POST['add_quote_copy'])) { + validateCSRFToken($_POST['csrf_token']); + enforceUserPermission('module_sales', 2); $quote_id = intval($_POST['quote_id']); @@ -114,6 +118,8 @@ if (isset($_POST['add_quote_copy'])) { if (isset($_POST['add_quote_to_invoice'])) { + validateCSRFToken($_POST['csrf_token']); + enforceUserPermission('module_sales', 2); $quote_id = intval($_POST['quote_id']); @@ -187,6 +193,8 @@ if (isset($_POST['add_quote_to_invoice'])) { if (isset($_POST['add_quote_item'])) { + validateCSRFToken($_POST['csrf_token']); + enforceUserPermission('module_sales', 2); $quote_id = intval($_POST['quote_id']); @@ -241,6 +249,8 @@ if (isset($_POST['add_quote_item'])) { if (isset($_POST['quote_note'])) { + validateCSRFToken($_POST['csrf_token']); + enforceUserPermission('module_sales', 2); $quote_id = intval($_POST['quote_id']); @@ -265,6 +275,8 @@ if (isset($_POST['quote_note'])) { if (isset($_POST['edit_quote'])) { + validateCSRFToken($_POST['csrf_token']); + enforceUserPermission('module_sales', 2); require_once 'quote_model.php'; @@ -299,6 +311,8 @@ if (isset($_POST['edit_quote'])) { if (isset($_GET['delete_quote'])) { + validateCSRFToken($_GET['csrf_token']); + enforceUserPermission('module_sales', 3); $quote_id = intval($_GET['delete_quote']); @@ -341,6 +355,8 @@ if (isset($_GET['delete_quote'])) { if (isset($_GET['delete_quote_item'])) { + validateCSRFToken($_GET['csrf_token']); + enforceUserPermission('module_sales', 2); $item_id = intval($_GET['delete_quote_item']); @@ -375,6 +391,8 @@ if (isset($_GET['delete_quote_item'])) { if (isset($_GET['mark_quote_sent'])) { + validateCSRFToken($_GET['csrf_token']); + enforceUserPermission('module_sales', 2); $quote_id = intval($_GET['mark_quote_sent']); @@ -399,6 +417,8 @@ if (isset($_GET['mark_quote_sent'])) { if (isset($_GET['accept_quote'])) { + validateCSRFToken($_GET['csrf_token']); + enforceUserPermission('module_sales', 2); $quote_id = intval($_GET['accept_quote']); @@ -425,6 +445,8 @@ if (isset($_GET['accept_quote'])) { if (isset($_GET['decline_quote'])) { + validateCSRFToken($_GET['csrf_token']); + enforceUserPermission('module_sales', 2); $quote_id = intval($_GET['decline_quote']); @@ -451,6 +473,8 @@ if (isset($_GET['decline_quote'])) { if (isset($_GET['email_quote'])) { + validateCSRFToken($_GET['csrf_token']); + enforceUserPermission('module_sales', 2); $quote_id = intval($_GET['email_quote']); @@ -529,6 +553,8 @@ if (isset($_GET['email_quote'])) { if (isset($_GET['mark_quote_invoiced'])) { + validateCSRFToken($_GET['csrf_token']); + enforceUserPermission('module_sales', 2); $quote_id = intval($_GET['mark_quote_invoiced']); @@ -553,6 +579,8 @@ if (isset($_GET['mark_quote_invoiced'])) { if(isset($_POST['export_quotes_csv'])){ + validateCSRFToken($_POST['csrf_token']); + enforceUserPermission('module_sales'); if ($_POST['client_id']) { @@ -611,6 +639,10 @@ if(isset($_POST['export_quotes_csv'])){ if (isset($_GET['export_quote_pdf'])) { + validateCSRFToken($_GET['csrf_token']); + + enforceUserPermission('module_sales'); + $quote_id = intval($_GET['export_quote_pdf']); $sql = mysqli_query( diff --git a/agent/quote.php b/agent/quote.php index a847336e..0d0476ee 100644 --- a/agent/quote.php +++ b/agent/quote.php @@ -150,22 +150,22 @@ if (isset($_GET['quote_id'])) {
- + Send Email
- + Mark Sent
- + Accept - + Decline @@ -180,7 +180,7 @@ if (isset($_GET['quote_id'])) { Toggle Dropdown
- + Mark Invoiced
@@ -209,11 +209,11 @@ if (isset($_GET['quote_id'])) { Print - + Download PDF - + Send Email @@ -222,7 +222,7 @@ if (isset($_GET['quote_id'])) { = 3) { ?>
- + Delete @@ -341,7 +341,7 @@ if (isset($_GET['quote_id'])) { Edit
- + Delete
@@ -367,6 +367,7 @@ if (isset($_GET['quote_id'])) { echo "hidden"; } ?>> +
- + Email = 3) { ?>
- + Delete